Vulnerability Description
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Spreecommerce | Spree | 1.1.0 |
Related Weaknesses (CWE)
References
- http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixedVendor Advisory
- https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda
- http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixedVendor Advisory
- https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda
FAQ
What is CVE-2013-2506?
CVE-2013-2506 is a vulnerability with a CVSS score of 4.0 (MEDIUM). app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to ass...
How severe is CVE-2013-2506?
CVE-2013-2506 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-2506?
Check the references section above for vendor advisories and patch information. Affected products include: Spreecommerce Spree.